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Today  Everything’s  Connected 


Your  System  is 
attackable... 
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When  this  Other  System  gets  subverted 
through  an  un-patched  vulnerability,  a 
mis-configuration,  or  an  application 
weakness... 


The  Software  Supply  Chain 
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? 

“Scope  of  Supplier  Expansion  and  Foreign  Involvement”  graphic  in  DACS  www.softwaretechnews.com  Secure  Software 
Engineering,  July  2005  article  “Software  Development  Security:  A  Risk  Management  Perspective”  synopsis  of  May  2004 
GAO-04-678  report  “Defense  Acquisition:  Knowledge  of  Software  Suppliers  Needed  to  Manage  Risks” 


If  the  weaknesses 
in  software  were  as 
easy  to  spot  and 
their  impact  as 
obvious  as... 
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CVE  1999  to  2011 
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Vulnerability  Type  Trends: 

A  Look  at  the  CVE  List  (2001  -  2007) 
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int-overflow 


Removing  and  Preventing  the  Vulnerabilities 
Requires  More  Specific  Definitions... CWEs 
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Improper  Neutralization  of  Input  During  Web  Page  Generation  ('Cross-site  Scripting’)  (79) 

•  Improper  Neutralization  of  Script-Related  HTML  Tags  in  a  Web  Page  (Basic  XSS)  (80) 

•  Improper  Neutralization  of  Script  in  an  Error  Message  Web  Page  (81) 

•  Improper  Neutralization  of  Script  in  Attributes  of  IMG  Tags  in  a  Web  Page  (82) 

•  Improper  Neutralization  of  Script  in  Attributes  in  a  Web  Page  (83) 

•  Improper  Neutralization  of  Encoded  URI  Schemes  in  a  Web  Page  (84) 

•  Doubled  Character  XSS  Manipulations  (85) 

•  Improper  Neutralization  of  Invalid  Characters  in  Identifiers  in  Web  Pages  (86) 

•  Improper  Neutralization  of  Alternate  XSS  Syntax  (87) 


Improper  Restriction  of  Operations  within  the  Bounds  of  a  Memory  Buffer  (11 9) 

•  Buffer  Copy  without  Checking  Size  of  Input  ('Classic  Buffer  Overflow’)  (120) 

•  Write-what-where  Condition  (123) 

•  Out-of-bounds  Read  (125) 

•  Improper  Handling  of  Length  Parameter  Inconsistency  (130) 

•  Improper  Validation  of  Array  Index  (129) 

•  Return  of  Pointer  Value  Outside  of  Expected  Range  (466) 

•  Access  of  Memory  Location  Before  Start  of  Buffer  (786) 

•  Access  of  Memory  Location  After  End  of  Buffer  (788) 

•  Buffer  Access  with  Incorrect  Length  Value  805 

•  Untrusted  Pointer  Dereference  (822) 

•  Use  of  Out-of-range  Pointer  Offset  (823) 

•  Access  of  Uninitialized  Pointer  (824) 

•  Expired  Pointer  Dereference  (825) 


Path  T raversal  (22) 

•  Relative  Path  Traversal  (23) 

•  Path  Traversal:  '../filedir'  (24) 

•  Path  Traversal:  '/../filedir'  (25) 

•  < - 8  more  here . > 

•  Path  Traversal: '....//'  (34) 

•  Path  Traversal: '.../...//'  (35) 

•  Absolute  Path  Traversal  (36) 

•  Path  Traversal:  '/absolute/pathname/here’  (37) 

•  Path  Traversal:  '\absolute\pathname\here’  (38) 

•  Path  Traversal:  ’Cidirname’  (39) 

•  Path  Traversal:  '\\UNC\share\nameV  (Windows  UNC  Share)  (40) 


Exploitable  Software  Weaknesses  (a.k.a.  vulnerabilities) 

Vulnerabilities  can  be  the  outcome  of  non-secure  practices  and/or 
malicious  intent  of  someone  in  the  development/support  lifecycle. 

The  exploitation  potential  of  a  vulnerability  is  independent  of  the  “intent” 
behind  how  it  was  introduced. 
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Intentional 

Vulnerabilities 


Unintentional 


Vulnerabilities 


Intentional  vulnerabilities  are  spyware  &  malicious  logic  deliberately  imbedded  (and  might 
not  be  considered  defects  but  they  can  make  use  of  the  same  weakness  patterns  as 
unintentional  mistakes)  .  ..  ,  , ... 

'  Note:  Chart  is  not  to  scale  -  notional  representation  --  for  discussions 


Common  Weakness  Enumeration  (CWE) 

•  dictionary  of  weaknesses 

-  weaknesses  that  can  lead  to  exploitable  vulnerabilities  (i.e. 
CVEs) 

-  the  things  we  don’t  want  in  our  code,  design,  or  architecture 

-  web  site  with  XML  of  content,  sources  of  content,  and  process 
used 

•  structured  views 

-  provides  multiple  views  into  CWE  dictionary  content 

-  supports  alternate  views  -  developer/researcher/sub-views 

•  open  community  process 

-  to  facilitate  common  terms/ 
concepts/facts  and 
understanding 

-  allows  for  vendors,  developers, 
system  owners  and  acquirers 
to  understand  tool  capabilities/ 
coverage  and  priorities 

-  utilize  community  expertise 

Making 
Security 
Measurable" 

»y 


Foundation  for 
other 


>HS,  NS  A, 
OSD,  NIST,  OWASP, 
SANS,  and  OMG 
SwP 


Efforts 


©2011  MITRE 


...but  sailing  ships  in  the  open  ocean  and 
building  commerce  and  defense  capabilities 

based  upon  them  requires 

understanding... 


...a  more  insightful 
depiction  -  one  that 
shows  what  was 
going  on  under  the 
surface  -  was 
needed... 


...surface  maps  didn’t 
capture  the  full  set  of 
threats  and  hazards  -  i.e. 
what  was  really  going  on... 
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...and  warning  signals 
to  help  others  avoid 
known  hazards  were 
erected  along  with... 


...indicators 
showing  safe 
ways  to  avoid 
the  known 
hazards... 


\ 


Kn 
Security 
Weaknesses 


L  j, 


EH 


% 


£ 


Know  - - 

■*y  s 

Weaknesses 


Know 

V 

Security 
Weaknesses 


Know 
.Security 
□  Weak 


k  4 


...with  defensive  and 
offensive  security 
capabilities. 
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Software  [I insecurity:  Cyber  Warmongering 
influence  Peddlin 


By  Cary  McGraw  and  [van  Arce 
Nov  24,  2010 

Article  is  provided  courtesy  of  Addison-Wesley  Professional 


“For  years  in  computer  security,  we  have 
been  attempting  to  protect  the  broken  stuff 
from  the  bad  people  by  placing  a  barrier 
between  the  bad  people  and  the  broken 
stuff.  We  have  failed.  Instead,  we  need  to 
fix  the  broken  stuff  so  that  attacking  it 
successfully  takes  far  more  resources  and 
skill  than  is  currently  the  case.” 
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CWE  -  Common  Weakness  Enumeration 


® r  <  e  (4)  (5)  CtE  http://cwe.mitre.org/ 
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Common  Weakness  Enumeration 
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Research 
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Calendar 
Free  Newsletter 


Compatibility 
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Requirements 
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Make  a  Declaration 


Search  the  Site 


International  In  scope  and  free  for  public  use,  CWE™  provides  a  unified,  measurable 
set  of  software  weaknesses  that  is  enabling  more  effective  discussion,  description, 
selection,  and  use  of  software  security  tools  and  services  that  can  find  these 
weaknesses  in  source  code  and  operational  systems  as  well  as  better  understanding 
and  management  of  software  weaknesses  related  to  architecture  and  design. 


Building  CWE  Sc  Consensus 
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Compatibility 

Similar  Standards 


Attack  Patterns  fCAPECI 

Vulnerabilities  fCVE) 

Configurations  fCCEl 

Platforms  fCPEl 

Malware  fMAEC) 


Assessment  Language  fQVAU 

Checklist  Language  fXCCDH 

Log  Format  t  CEE  \ 

Security  Content  Automation  (SC API 

Making  Security  Measurable 
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ERRORS 

Search  by  ID 


Updated  Common  Weakness 

Scoring  System  [CWSS)  White 

Paper  Now  Available 

lDRA  Makes  Two  Declarations  of 

CWE  Compatibility 

Software  Assurance  keynote  and 

Making  Security  Measurable  table 

booth  at  International  Conference 

on  Software  Quality 
CWE/Making  Security  Measurable 

booth  at  Black  Hat  DC  2011 


Upcoming  Events 


CWE/Making  Security  Measurable 

booth  at  RSA  2011 ,  February  14-18 

'  CW  E/CAPE  C/M  AEC  brie  Finos  at 

DHS/DoD/mST  SwA  Forum , 

February  28  -  March  4 
'  CW  E/M  a  king  Security  Measurable 

booth  at  2011  Information 
Assurance  Symposium.  March  a- 10 


Status  Report 


Version  1.11  posted  December  13, 
2010,  7  new  entries  were  created, 
mostly  related  to  synchronization  and 
"functionality  inclusion."  One  entry 
was  deprecated,  There  are  changes  to 
135  entries,  especially  potential 
mitigations,  names,  descriptions, 
demonstrative  examples,  and 
relationships.  There  were  no  schema 
changes. 

More  Information 

cwe@mitne.org 
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PLOVER 
(CWE 
draft  1) 
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Plus  Some  Other 
Important  Tool 
Players... 
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CAST  Software 
Polyspace 
Security  Innovation 
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Programming  Research  Inc 
SofCheck 
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CWE  Compatibility  &  Effectiveness  Program 

( launched  Feb  2007) 
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Organizations  Participating 

All  organizations  participating  in  the  CWE 
Compatibility  and  Effectiveness  Program  are 
listed  below,  including  those  with  CWE- 
Compatible  Products  and  Services  and  those 
with  Declarations  to  Be  CWE-Compatible. 


cwe.mitre.org/compatible/ 


TOTALS 

Organizations  Participating:  29 
Products  &  Services:  48 


Products  are  listed  alphabetically  by  organization  name: 


©2011  MITRE 


C  Test  Cases 


C/C++  “Breadth”  Test  Case 
Coverage 

No  Tools 


GrammaTech 

4% 

Klocwork 


Four  Tools 
15% 


One  Tool 


Two  Tools 
11% 


Coverity 

1% 

Fortify 

'  3% 


Ounce  Labs 
2% 


Three  Tools 
13% 
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Java  “Breadth"  Test  Case 
Coverage 


Coverity 
0% 

FindBugs 
1% 

Fortify 
7% 

Klocwork 
1% 

Ounce  Labs 
3% 

PMD 
2% 


Three  Tools 
18% 


No  Tools 
40% 


Four  Tools 
12% 
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Code  Analysis  Effectiveness  Assessment... 
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Coverity  Coverage  For  Common  Weakness 
Enumeration  (CWE):  C/C++ 
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CWE  IDs  mapped  to  Klocwork  Java  issue 
types 


From  current 

CWE  IDs  mapped  to  Klocwork  Java  issue  types 

See  also  Detected  Java  Issues. 
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<  CWE  IDs  mapped  to  Klocwork  C  and  C++  issue  types 
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The  2009  CWE/SANS  Top  25  Most  Dangerous  Programming  Errors  is  a  list  of  the  most  significant 
programming  errors  that  can  lead  to  serious  software  vulnerabilities.  They  occur  frequently,  are  often 
easy  to  find,  and  easy  to  exploit.  They  are  dangerous  because  they  will  frequently  allow  attackers  to 
completely  take  over  the  software,  steal  data,  or  prevent  the  software  from  working  at  all. 

The  list  is  the  result  of  collaboration  between  the  SANS  Institute,  MITRE,  and  many  top  software 
security  experts  in  the  US  and  Europe.  It  leverages  experiences  in  the  development  of  the  SANS  Top  20 
attack  vectors  (http://www.sans.org/top20/)  and  MITRE's  Common  Weakness  Enumeration  (CWE) 
(http://cwe.rn i tre.org/).  MITRE  maintains  the  CWE  web  site,  with  the  support  of  the  US  Department  of 
Homeland  Security's  National  Cyber  Security  Division,  presenting  detailed  descriptions  of  the  top  25 
programming  errors  along  with  authoritative  guidance  for  mitigating  and  avoiding  them.  The  CWE  site 
also  contains  data  on  more  than  700  additional  programming  errors,  design  errors,  and  architecture 
errors  that  can  lead  to  exploitable  vulnerabilities. 

The  main  goal  for  the  Top  25  list  is  to  stop  vulnerabilities  at  the  source  by  educating  programmers  on 
how  to  eliminate  all-too -common  mistakes  before  software  is  even  shipped.  The  list  will  be  a  tcxil  for 
education  and  awareness  that  will  help  programmers  to  prevent  the  kinds  of  vulnerabilities  that  plague 
the  software  industry.  Software  consumers  could  use  the  same  list  to  help  them  to  ask  for  more  secure 
software.  Finally,  software  managers  and  CIOs  can  use  the  Top  25  list  as  a  measuring  stick  of  progress 
in  their  efforts  to  secure  their  software. 
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What  Errors  Are  Included  in  the  Top  25  P 

Version  2.0  Updated  February  16,  2010 

The  Top  25  Programming  Errors  are  listed  belo> 

•  Programming  Error  Category:  Insecure  Interaction  Between 

•  Programming  Error  Category:  Risky  Resource  Management  (1 

•  Programming  Error  Category:  Porous  Defenses  (7  errors) 

Click  on  the  headline  in  any  of  the  listings  (or  the  MORE  link)  and  y 
the  MITRE  CWE  site  where  you  will  find  the  following: 

Ranking  of  each  Top  25  entry, 

Links  to  the  full  CWE  entry  data, 

Data  fields  for  weakness  prevalence  and  consequences, 
Remediation  cost, 

Ease  of  detection, 

Code  examples. 

Detection  Methods, 

Attack  frequency  and  attacker  awareness 
Related  CWE  entries,  and 
Related  patterns  of  attack  for  this  weakness. 

Each  entry  at  the  Top  25  Programming  Errors  site  also  includes  fairl 
steps  that  developers  can  take  to  mitigate  or  eliminate  the  weakn 

View  Press  Release  concerning  the  2010  Updates 
View  the  Top  25  Programming  Errors  for  2009  Here 


Programming  Error  Category:  Insecure  Interacti 

[1  ]  CWE-79:  Failure  to  Preserve  Web  Page  Structur 
Cross-site  scripting  (X5S)  is  one  of  the  most  prevalent,  obstinate 
applications. ..If  you're  not  careful,  attackers  can. ..MORE  » 

[2]  CWE-89:  Failure  to  Preserve  SQL  Query  Structi 
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Introduction 

The  2010  CWE/SANS  Top  25  Most  Dangerous  Software  Errors  is  a  list  of  the  most  widespread  and 
critical  programming  errors  that  can  lead  to  serious  software  vulnerabilities.  They  are  often  easy  to 
find,  and  easy  to  exploit.  They  are  dangerous  because  they  will  frequently  allow  attackers  to 
completely  take  over  the  software,  steal  data,  or  prevent  the  software  from  working  at  all. 

The  Top  25  list  is  a  tool  for  education  and  awareness  to  help  programmers  to  prevent  the  kinds  of 
vulnerabilities  that  plague  the  software  industry,  by  identifying  and  avoiding  all-too-common 
mistakes  that  occur  before  software  is  even  shipped.  Software  customers  can  use  the  same  list  to 
heln  Irhem  To  ask  for  more  secure  software.  Researchers  in  software  security  can  use  Irhe  Ton  25  to 


Main  Goals 


•  Raise  awareness  for  developers 

•  Help  universities  to  teach  secure  coding 

•  Empower  customers  who  want  to  ask  for 
more  secure  software 

•  Provide  a  starting  point  for  in-house 
software  shops  to  measure  their  own 
progress 
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Insecure  Interaction  Between  Components 

These  weaknesses  are  related  to  insecure  wavs  in  which  data  is  sent  and  received  between  separate  components,  modules, 
programs,  processes,  threads,  or  systems. 
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•  CWE-20:  Improper  input  Validation 

•  CWE-116:  Improper  Encoding  or  Escaping  of  Output 

9  CWE-89:  Failure  to  Preserve  SQL  Query  Structure  [aka  'SQL  Injection') 

•  CWE-79:  Failure  to  Preserve  Web  Page  Structure  [aka  ’Cross-site  Scripting1) 

•  CWE-78:  Failure  to  Preserve  OS  Command  Structure  [aka  'OS  Command  Injection') 

•  CWE'319:  Cleartext  Transmission  of  Sensitive  Information 

•  CWE-3S2:  Cross-Site  Request  Forgery  (CSRF) 

•  CWE-362:  Race  Condition 

•  CWE-Z09:  Error  Message  Information  Leak 

Risky  Resource  Management 


The  weaknesses  in  this  category  are  related  to  ways  in  which  software  does  not  properly  manage  the  creation,  usage, 
transfer,  or  destruction  of  important  system  resources. 


•  CWE-119:  Failure  to  Constrain  Operations  within  the  Bounds  of  a  Memory  Buffer 

•  CWE-64Z:  External  Control  of  Critical  State  Data 

•  CWE-73:  External  Control  of  File  Name  or  Path 

•  CWE-426:  Untrusted  Search  Path 

•  CWE-94:  Failure  to  Control  Generation  of  Code  (aka  'Code  Injection') 

•  CWE-494:  Download  of  Code  Without  Integrity  Check 

•  CWE-404:  Improper  Resource  Shutdown  or  Release 

•  CWE-665:  Improper  Initialization 

•  CWE-682:  Incorrect  Calculation 

Porous  Defenses 


The  weaknesses  in  this  category  are  related  to  defensive  techniques  that  are  often  misused,  abused,  or  just  plain  ignored. 

•  CWE-285:  Improper  Access  Control  (Authorization) 

•  CWE-327:  Use  of  a  Broken  or  Risky  Cryptographic  Algorithm 

•  CWE-259:  Hard-Coded  Password 

•  CWE-732:  Insecure  Permission  Assignment  for  Critical  Resource 

•  CWE-330:  Use  of  Insufficiently  Random  Values 

•  CWE-250:  Execution  with  Unnecessary  Privileges 

•  CWE-602:  Client-Side  Enforcement  of  Server-Side  Security 

Tlwre  whs  on*  the  paflt.  For  *nwf  inFarrnjUro,  Chaos*  Artwitv  the  Window  m*fid 


Insecure  Interaction  Between  Components 

These  weaknesses  are  related  to  Insecure  ways  in  which  data  Is  sent  and  received  between  separate  components,  modules,  programs,  processes,  threads,  or  systems. 
For  each  weakness,  Its  ranking  in  the  general  list  is  provided  in  square  brackets. 


Rank 

CWE  ID 

Name 

[i] 

CWE-79 

Failure  to  Preserve  Web  Page  Structure  ("Cross-site  Scripting") 

[2] 

CWE-89 

Improper  Sanitization  of  Special  Elements  used  in  an  SQL  Command  ("SQL  Injection") 

[4] 

CWE-352 

Cross-Site  Request  Forgery  (CSRF) 

[8] 

CWE-434 

Unrestricted  Upload  of  File  with  Dangerous  Type 

[9] 

CWE’ 78 

Improper  Sanitization  of  Special  Elements  used  in  an  OS  Command  ("OS  Command  Injection") 

[17] 

CWE-209 

Information  Exposure  Through  an  Error  Message 

[23] 

CWE-601 

URL  Redirection  to  Untrusted  Site  ("Open  Redirect") 

[25] 

CWE-3G2 

Race  Condition 

Risky  Resource  Management 

The  weaknesses  in  this  category  are  related  to  ways  in  which  software  does  not  properly  manage  the  creation,  usage,  transfer,  or  destruction  of  important  system  resources. 


Rank 

CWE  ID 

Name 

[3] 

CWE-120 

Buffer  Copy  without  Checking  Size  of  Input  ("Classic  Buffer  Overflow") 

[7] 

CWE-22 

Improper  Limitation  of  a  Pathname  to  a  Restricted  Directory  ("Path  Traversal") 

[12] 

CWE-805 

Buffer  Access  with  Incorrect  Length  Value 

[13] 

CWE-754 

Improper  Check  for  Unusual  or  Exceptional  Conditions 

[14] 

CWE-98 

Improper  Control  of  Filename  for  Include/Require  Statement  in  PKP  Program  ("PHP  File  Inclusion") 

[15] 

CWE- 129 

Improper  Validation  of  Array  Index 

[16] 

CWE-190 

Integer  Overflow  or  Wraparound 

[18] 

CWE-131 

Incorrect  Calculation  of  Buffer  Size 

[20] 

CWE-494 

Download  of  Code  Without  Integrity  Check 

[22] 

CWE-770 

Allocation  of  Resources  Without  Limits  or  Throttling 

Porous  Defenses 

The  weaknesses  in  this  category  are  related  to  defensive  techniques  that  are  often  misused,  abused,  or  just  plain  ignored. 


Rank 

CWE  ID 

Name 

[5] 

CWE-285 

Improper  Access  Control  (Authorization) 

[6] 

CWE-807 

Reliance  on  Untrusted  Inputs  in  a  Security  Decision 

[10] 

CWE-311 

Missing  Encryption  of  Sensitive  Data 

[11] 

CWE-798 

Use  of  Flard-coded  Credentials 

[19] 

CWE-306 

Missing  Authentication  for  Critical  Function 

[21] 

CWE-732 

Incorrect  Permission  Assignment  for  Critical  Resource 

[24] 

CWE-327 

Use  of  a  Broken  or  Risky  Cryptographic  Algorithm 

r\  r> 
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CWE-89:  Improper  Neutralization  of  Special  Elements  used  in  an  SQL 


Command  ('SQL  Injection') 


Summary 


Weakness  Prevalence 

High 

Consequences 

Data  loss.  Security  bypass 

Remediation  Cost 

Low 

Ease  of  Detection 

Easy 

Attack  Frequency 

Often  Attacker  Awareness 

High 
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Discussion 


These  days,  it  seems  as  if  software  is  all  about  the  data:  getting  it  into  the  database,  pulling  it 
from  the  database,  massaging  it  into  information,  and  sending  it  elsewhere  for  fun  and  profit.  If 
attackers  can  influence  the  SQL  that  you  use  to  communicate  with  your  database,  then 
suddenly  all  your  fun  and  profit  belongs  to  them.  If  you  use  SQL  queries  in  security  controls 
such  as  authentication,  attackers  could  alter  the  logic  of  those  queries  to  bypass  security.  They 
could  modify  the  queries  to  steal,  corrupt,  or  otherwise  change  your  underlying  data.  They'll 
even  steal  data  one  byte  at  a  time  if  they  have  to,  and  they  have  the  patience  and  know-how 
to  do  so. 


Technical  Details  \  Code  Examples  |  Detection  Methods  \  References 

Prevention  and  Mitigations 
Architecture  and  Desion 

Use  a  vetted  library  or  framework  that  does  not  allow  this  weakness  to  occur  or  provides  constructs 
that  make  this  weakness  easier  to  avoid. 

For  example,  consider  using  persistence  layers  such  as  Hibernate  or  Enterprise  Java  Beans,  which  can 
provide  significant  protection  against  SQL  injection  if  used  properly. 


Architecture  and  Design 

If  available,  use  structured  mechanisms  that  automatically  enforce  the  separation  between  data  and 
code.  These  mechanisms  may  be  able  to  provide  the  relevant  quoting,  encoding,  and  validation 
automatically,  instead  of  relying  on  the  developer  to  provide  this  capability  at  every  point  where  output 
is  generated. 

Process  SQL  queries  using  prepared  statements,  parameterized  queries,  or  stored  procedures.  These 
features  should  accept  parameters  or  variables  and  support  strong  typing.  Do  not  dynamically  construct 

_ _ _  ajid  Qvan  ifa  nnani.  cfrinnc  mifhiA.  i-hara  faafuraf  .jirin/t  ^avar^  AifcimUar.fiinrtiAnaiifki  .ginra  wrui  iria.u.  _ _ _ _ 
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Monster  Mitigations 


These  mitigations  will  be  effective  in  eliminating  or  redyeing  the  severity  of  the  Top  25,  These  mitigations  will  also  address  many  weaknesses-  that  are  not  even  on  the  Top  25.  If 
you  adopt  these  mitigations,  you  are  well  on  your  way  to  making  more  secure  software. 

A  Monster  Mitigation  Matrix  is  also  available  to  show  how  these  mitigations  apply  to  weaknesses  in  the  Top  25. 
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Description 

\m 

Establish  and  maintain  control  over  all  of  your  inputs. 

\m 

Establish  and  maintain  control  over  all  of  your  outputs. 

MS 

Lock  down  your  environment. 

m 

Assume  that  external  components  can  be  subverted,  and  your  code  can  be  read  by  anyone. 

|m 

Use  industry-accepted  security  features  instead  of  inventing  your  own.  

GPl 

{general}  Use  libraries  and  frameworks  that  make  it  easier  to  avoid  introducing  weaknesses. 

GP-2 

[general)  Integrate  security  into  the  entire  software  development  lifecycle. 

GE 3 

[general)  Use  a  broad  mix  of  methods  to  comprehensively  find  and  prevent  weaknesses. 

GPA 

[general)  Allow  locked -down  clients  to  interact  with  your  software. 

Ml 

M2 

M3 

M4 

MS 

OWE 

High 

DiD 

Mod 

CWE-22;  Improper  Limitation  of  a  Pathname  to  a  Restricted  Directory  ('Path  Tra versa V) 

Mod 

High 

DID 

Ltd 

CWE-7B:  Improper  Sanitization  of  Special  Elements  used  in  an  OS  Command  (‘OS  Command  Injection’) 

Mod 

High 

Ltd 

CWE-79:  Failure  to  Preserve  Web  Page  Structure  ('Cross-site  Scripting1) 

Mod 

High 

DID 

Ltd 

CWE-89;  Improper  Sanitization  of  Special  Elements  used  in  an  SQL  Command  {'SQL  Injection  ) 

Mod 

DID 

Ltd 

CWE-98;  Improper  Control  of  Filename  for  Include/ Require  Statement  in  PHP  Program  {'PHP  Fite  Inclusion1) 

Mod 

DID 

Ltd 

CWE-120:  Buffer  Copy  without  Checking  Size  of  Input  (  Classic  Buffer  Overflow'} 

High 

DID 

Ltd 

CWE-129:  Improper  Validation  of  Array  Index 

Mod 

DID 

Ltd 

CWE-131:  Incorrect  Calculation  of  Buffer  Size 

Mod 

DID 

Ltd 

CWE-19Q;  Integer  Overflow  or  Wraparound 

Ltd 

High  f 

DID 

Mod 

CWE-209.  Information  Exposure  Through  an  Error  Message 

DID 

Mod 

Mod 

CWE-285;  Improper  Access  Control  (Authorization) 

Mod 

Mod 

C WE -306-  Missing  Authentication  for  Critical  Function 

DID 

CWE-311:  Missing  Encryption  of  Sensitive  Data 

High 

CWE-327;  Use  of  a  Broken  or  Risky  Cryptographic  Algorithm 

Ltd 

CWE-352:  Cross-Site  Request  Forgery  (CSRF) 

DID 

CWE-362:  Race  Condition 

Mod 

OiD 

Mod 

C WE -434;  Unrestricted  Upload  of  File  with  Dangerous  Type 

DiD 

C  WE -494:  Download  of  Code  Without  Integrity  Check 

Mod 

Mod 

Ltd 

CWE-GGl:  URL  Redirection  to  Untrusted  Site  ('Open  Redirect") 

M 

DiD 

Mod 

CWE-732;  Incorrect  Permission  Assignment  for  Critical  Resource 

'Mod  [Ltd 

DID 

CWE-754:  Improper  Check  for  Unusual  or  Exceptional  Conditions 

Ltd 

DID 

Ltd 

CWE"770"  Allocation  of  Resources  Without  Limits  or  Tbrottlinq 

J 

DID 

HSffii 

Mod 

CWE-798:  Use  of  Hard-coded  Credentials 

Mod 

DID 

Ltd 

CWE-805:  Buffer  Access  with  incorrect  Length  Value 

Mod 

DID 

Mod 

Mod 

CWE"8Q?’  Reliance  on  Untrusted  Inputs  in  a  Security  Decision 

Focus  Profiles 


The  prioritization  of  items  in  the  general  Top  25  list  is  just  that  *  general.  The  rankings,  and  even  the  selection  of  which  items  should  be  included,  can  vary  widely  depending 
on  context.  Ideally,  each  organization  can  decide  how  to  rank  weaknesses  based  on  its  own  criteria,  instead  of  relying  on  a  single  general-purpose  list. 


A  separate  document  provides  several  "focus  profiles"  with  their  own  criteria  for  selection  and  ranking,  which  may  be  more  useful  than  the  general  list. 


Name 

Description 

On  the  Cusp; 

Weaknesses  that  Did  Mot 

Mate  the  2010  Too  25 

From  the  original  nominee  list  of  41  submitted  CWE  entries,  the  Top  25  was  selected.  This  "On  the  Cusp"  profile  includes  the  remaining 
weaknesses  that  did  not  make  it  into  the  final  Top  25. 

Educational  Emphasis 

This  profile  ranks  weaknesses  that  are  important  from  an  educational  perspective  within  a  school  or  university  context.  It  focuses  on  the  CWE 
entries  that  graduating  students  should  know,  including  historically  important  weaknesses. 

Weaknesses  bv  'Language 

This  profile  specifies  which  weaknesses  appear  in  which  programming  languages.  Notice  that  most  weaknesses  are  actually  language- 
independent,  although  they  may  be  more  prevalent  in  one  language  or  another. 

Weaknesses  Typically 

EM  iaPssiflOJU 

Implementation 

This  profile  lists  weaknesses  that  are  typically  fixed  in  design  or  implementation. 

Automated  vs.  Manual 

Analysis 

This  profile  highlights  which  weaknesses  can  be  detected  using  automated  versus  manual  analysis,  Currently,  there  is  very  little  public, 
authoritative  information  about  the  efficacy  of  these  methods  and  their  utility.  There  are  many  competing  opinions,  even  among  experts.  As  a 
result,  these  ratings  should  only  be  treated  as  guidelines,  not  rules. 

Weaknesses  bv  language 

This  profile  specifies  which  weaknesses  appear  in  which  programming  languages.  Notice  that  most  weaknesses  are  actually  language' 
independent,  although  they  may  be  more  prevalent  in  one  language  or  another. 

For  Developers  with 

Established  Software 

Security  Prices 

This  profile  is  for  developers  who  have  already  established  security  In  their  practice.  It  uses  votes  from  the  major  developers  who  contributed  to 
the  Top  25, 

Ranked  bv  Importance  ■ 

for  Software  Customers 

This  profile  ranks  weaknesses  based  primarily  on  their  importance,  as  determined  from  the  base  voting  data  that  was  used  to  create  the  general 
list.  Prevalence  is  induded  in  the  scores,  but  it  has  much  less  weighting  than  Importance. 

Weaknesses  bv  Technical 

Impact 

This  profile  lists  weaknesses  based  on  their  technical  impact,  i.e,,  what  an  attacker  can  accomplish  by  exploiting  each  weakness. 

Background  Details  to  Check  Out 


Process  description 

Changelog  for  each  revision 

On  the  Cusp  -  weaknesses  that  almost 
made  it 

Appendices 


-  Selection  Criteria  and  Supporting  Fields 

-  Threat  Model  for  the  Skilled,  Determined 
Attacker 


Making 

Security 

Measurable1 
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Frequently  Asked  Questions  (FAQJ 


How  is  this  different  from  the  OWASP  Top  Ten? 

The  short  answer  is  that  the  OWASP  Top  Ten  covers  more  general  concepts  and  is  focused  on  web  applications. 
The  CWE  Top  25  covers  a  broader  range  of  issues  than  what  arise  from  the  web-centric  view  of  the  OWASP 
Top  Ten,  such  as  buffer  overflows.  Also,  one  goal  of  the  CWE  Top  25  is  to  be  at  a  level  that  is  directly 
actionable  to  programmers,  so  it  contains  more  detailed  issues  than  the  categories  being  used  in  the  Top  Ten. 
There  is  some  overlap,  however,  since  web  applications  are  so  prevalent,  and  some  issues  in  the  Top  Ten  have 
general  applications  to  all  classes  of  software. 

How  are  the  weaknesses  prioritized  on  the  list? 

With  the  exception  of  Input  Validation  being  listed  as  number  i  (partially  for  education  al  purposes),  there  is  no 
concrete  prioritization.  Prioritization  differs  widely  depending  on  the  audience  (e.g.  web  application  developers 
versus  OS  developers)  and  the  risk  tolerance  (whether  code  execution,  data  theft,  or  denial  of  service  are  more 
important).  It  was  also  believed  that  the  use  of  categories  would  help  the  organization  of  the  docu  ment,  and 
prioritization  would  impose  a  different  ordering. 

Why  are  you  including  overlapping  concepts  like  input  validation  and  XSS,  or 
incorrect  calculation  and  buffer  overflows?  Why  do  you  have  mixed  levels  of 
abstraction? 

While  it  would  have  been  ideal  to  have  a  fixed  level  of  abstraction  and  no  overlap  between  weaknesses,  there 
are  several  reasons  why  this  was  not  achieved. 

Contributors  sometimes  suggested  different  CWE  identifiers  that  were  closely  related.  In  some  cases,  this 
difference  was  addressed  by  using  a  more  abstract  CWE  identifier  that  covered  the  relevant  cases. 

In  other  situations,  there  was  strong  advocacy  for  including  lower- level  issues  such  as  SQL  injection  and  cross¬ 
site  scripting,  so  these  were  added.  The  general  trend,  however,  was  to  use  more  abstract  weakness  types. 

While  it  might  be  desired  to  minimize  overlap  in  the  Top  25,  many  vulnerabilities  actually  deal  with  the 
interaction  of  2  or  more  weaknesses.  For  example,  external  control  of  user  state  data  (CWE -64 2)  could  be  an 
important  weakness  that  enables  cross-site  scripting  (CWE-79)  and  SQL  injection  (CWE-89).  To  eliminate 
overlap  in  the  Top  25  would  lose  some  of  this  important  subtlety. 

Finally,  it  was  a  conscious  decision  that  if  there  was  enough  prevalence  and  severity,  design -related 
weaknesses  would  be  included.  These  are  often  thought  of  as  being  more  abstract  than  weaknesses  that  arise 
during  implementation. 

The  Top  25  list  tries  to  strike  a  delicate  balance  between  usability  and  relevance,  and  we  believe  that  it  does 
so,  even  with  this  apparent  imperfection. 

Why  don't  you  use  hard  statistics  to  back  up  your  claims? 

The  appropriate  statistics  simply  aren't  publicly  available.  The  publicly  available  statistics  are  either  too  high- 
level  or  not  comprehensive  enough.  And  none  of  them  are  comprehensive  across  all  software  types  and 
environments. 


People  are  Starved  for  Simplicity 


Google  Analytics 


Analytics  Settings  View  Reports: 


cwe.mitre.org 


ramartin@mitre.org (Settings | My  Account | Help | Sign  Out 


My  Analytics  Accounts; 


cwe.mitre.org 


■#»  February  3, 2010  -  March  5, 2010  December  30, 2008  ■  January  29, 2009 


The  Top  25  is  not... 


•  A  silver  bullet 

•  A  guarantee  of  software  health 

•  A  perfect  match  for  your  unique  needs 

•  As  simple  as  it  seems 

•  The  only  thing  to  include  in  contract 
language 

•  Completely  found  by  tools 


Making 

Security 

Measurable' 


The  Top  25  is... 


•  A  mechanism  for  awareness 

•  A  trigger  of  questions 

•  A  place  for  mitigations 

•  A  conversation  starter 

•  A  first  step  on  the  long  road  to  software 
assurance 


Making 

Security 

Measurable' 


CWE  Top  25  for  2011 

•  Started  last  month 

•  Utilizing  the  Common  Weakness  Scoring 
System  (CWSS  0.4)  and  the  Common 
Weakness  Risk  Assessment  Framework 
(CWRAF  0.4)  as  under-pinning 

•  Will  have  numerous  “Top  10’s”  &  one  “Top  25” 

-  Including  Web,  Embedded,  e-Voting,... 

•  Final  "master"  Top  25  list,  will  leverage 
combined  score  from  multiple  vignettes. 

•  No  fixed  date  for  release  of  the  2011  Top  25  at 
this  point,  may  take  2  to  3  months. 

Making 

Security 

Measurable' 
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Common  Weakness  Scoring  System  (CWSS) 


Archetypes: 

•  Web  Browser  User  Interface 

•  Web  Servers 

•  Application  Servers 

•  Database  Systems 

•  Desktop  Systems 

•  SSL 


Vignettes: 

iT Web-based  Retail  Provider 

27  Intranet  resident  health 

records  management 
system  of  hospital 


Business  Value  Context  (BVC) 

Identifies  critical  assets  and  security  concerns 

Links  Technical  Impacts  (derived  from  CWE 
weaknesses)  with  business  implications 

More  fine-grained  model  than  the  CIA  Triad 


CWE  Technical  Impacts 


1.  Modify  memory 

2.  Read  memory 

3.  Modify  files  or  directories 

4.  Read  files  or  directories 

5.  Modify  application  data 

6.  Read  application  data 

7.  DoS:  crash  /  exit  /  restart 

8.  DoS:  amplification 

9.  DoS:  instability 


10.  DoS:  resource  consumption  (CPU) 

11.  DoS:  resource  consumption  (memory) 

12.  DoS:  resource  consumption  (other) 

13.  Execute  unauthorized  code  or  commands 

14.  Gain  privileges  /  assume  identity 

15.  Bypass  protection  mechanism 

16.  Hide  activities 


Calculating  CWSS  Impact  Weights 


10  -  Execute  System  Code 
6  -  Read  System  Data 
3  -  System  Unstable  Execution 
2  -  Network  Resource  consumption 
1  -  Read  Application  Data 


Technical 

Impact 

Scorecard 


CWE-x 

Execute  System  Code 
Network  Resource 
Consumption 


Max  (10,  2)/ 10.0 


Max  (3,  6)/ 10.0  Max  (1)/ 10.0 

i  'I' 


1.0 


0.6 


0.1 


Common  Weakness  Scoring  System  (CWSS) 


Archetypes: 

•  Web  Browser  User  Interface 

•  Web  Servers 

•  Application  Servers 

•  Database  Systems 

•  Desktop  Systems 

•  SSL 


Vignettes: 

iT Web-based  Retail  Provider 

27  Intranet  resident  health 

records  management 
system  of  hospital 


Scoring  Weaknesses  Discovered  in  Code  using  CWSS 


i 

Analysis 

Li  ne  2  3  :  CWE  - 1 0  9 

Line  72;  CWE-84 
Line  104;  CWE -4 82 

Line  212:  CWE- 9 

Line  213:  CWE-754 

■  p 

7 

Scoring 

Engine 


Steps; 

1.  Establish  weightings  for  the 
vignette 

lt  Run  code  through  analysis  tool(s) 

3.  Tools  produce  report  of  CWE's 
found  in  code 

4.  CWSS  scoring  engine 
automatically  scores  each  CWE 
based  on  vignette  definition 

5.  Go  to  step  2  for  each  piece  of 
code  applicable  to  this  vignette 


Line 

212  : 

CWE- 9 : 

9 , 9 

Line 

72: 

GWE-B4 ; 

7 « 9 

Line 

23: 

CWE-109: 

5 .  € 

Line 

104; 

CWE- 402 : 

3.1 

Line 

213; 

CWE- 75 4; 

0.0 

Step  1  is  only  done  once  -  the  rest  is  automatic 


Scoring  Relevant  Weaknesses  using  CWSS 


Steps: 

1,  Establish  weightings  for  the 
vignette 

2,  CWSS  scoring  engine  processes 
each  relevant  CWE  entry  and 
automatically  scores  the  entry 
based  on  vignette  definition 

3,  CWE  entries  presented  in 
priority  order  based  on 
vignette-driven  CWSS  scores 

4,  Organization  now  has  its  own 
customized  "Top  N  list"  of 
critical  weaknesses  for  this 
vignette 


CWE- 6  . 
CWE-45 
CWE“73 
CWE-89 


o 


Vignette 

Technical  Impact 
Scorecard 


o 


CWSS 

icorini 

1 

l  i 

Engine 

CWE-89; 

CWE-238 : 

9*2  j 

CWE- 6:  8 

3 

CWE-45: 

5  6 

CWE-721 : 

4  t  4 

CWE-482 : 

3  *  1 

CWE-754 ; 

0*0 

CWE-73: 

0.0 

■1  -l  -li 

Step  1  is  only  done  once  -  the  rest  is  automatic 


CWSS  for  a  Technology  Group 
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CWE  Top  10  List  for  Web  Applications  can  be  used  to: 

*  Identify  skill  and  training  needs  for  your  web  team 

*  Include  in  T’s  &  C’s  for  contracting  for  web  development 

*  Identify  tool  capability  needs  to  support  web  assessment 


Technology  Group 

Archetypes/  Description 

Web  Applications 

Web  browser,  web-server,  web-based  applications  and  services,  etc. 

Industrial  Control 
Systems 

SCADA,  process  control  system,  etc, 

Real-time, 

Embedded  Systems 

Embedded  Device,  Programmable  logic  controller,  implanted  medical  devices, 
avionics  package. 

End-point  Computing 
Devices 

Smart  phone,  laptop,  personal  digital  assistant  (PDA),  and  other  remote  devices  that 
leave  the  enterprise  and/or  connect  remotely  to  the  enterprise. 

Cloud  Computing 

Hosted  applications  or  capabilities  provided  over  the  Internet,  including  Software-as- 
a-Service  (SaaS),  Platform-as-a-Service  (PaaS),  and  Infrastructure  as  a  Service 
(IaaS). 

Operating  Systems 

General-purpose  OS,  virtualized  OS,  Real-time  operating  system  (RTOS),  hypervisor, 
microkernel. 

Enterprise  Desktop 
Applications/Systems 

Office  products  such  as  word  processing,  spreadsheets,  project  management,  etc. 

Domain  Name 

Description 

— 

E-Commerce 

The  use  of  the  Internet  or  other  computer  networks  for  the  sale  of  products  and 
services,  typically  using  on-line  capabilities. 

Banking  &  Finance 

Financial  services,  including  banks,  stock  exchanges,  brokers,  investment  companies, 
financial  advisors,  and  government  regulatory  agencies. 

Public  Health 

Health  care,  medical  encoding  and  billing,  patient  information/data,  critical  or 
emergency  care,  medical  devices  (implantable,  partially  embedded,  patient  care), 
drug  development  and  distribution,  food  processing,  clean  water  treatment  and 
distribution  (including  dams  and  processing  facilities),  etc. 

Energy 

Smart  Grid  (electrical  network  through  a  large  region,  using  digital  technology  for 
monitoring  or  control),  nuclear  power  stations,  oil  and  gas  transmission,  etc. 

Chemical 

Chemical  processing  and  distribution,  etc. 

Manufacturing 

Plants  and  distribution  channels,  supply  chain,  etc. 

Shipping  & 
Transportation 

Aerospace  systems  (such  as  safety- critical  ground  aviation  systems,  on-board  avionics, 
etc),  shipping  systems,  rail  systems,  etc. 

National  Security 

National  security  systems  (including  networks  and  weapon  systems),  Defense 

Industrial  Base,  etc. 

Government  and 
Commercial 

Security 

Homeland  Security  systems,  commercial  security  systems,  etc. 

Emergency  Services 

Systems  and  services  that  support  first  responders,  incident  management  and 
response,  law  enforcement,  and  emergency  services  for  citizens,  etc. 

Telecommunications 

Cellular  services,  land  lines,  VOIP,  cable  &  fiber  networks,  etc. 

Telecommuting  & 
Teleworking 

Support  for  employees  to  have  remote  access  to  internal  business  networks  and 
capabilities. 

eVoting 

Electronic  voting  systems,  as  used  within  state-run  elections,  shareholder  meetings, 
etc. 

Vignettes  -  Technology  Groups  &  Business/Mission  Domains 


Web 

Applications 


Real-Time 

Embedded 

Systems 


Control 

Systems 


End-Point 

Computing 

Devices 


Database  & 
Storage  Sys 


Operating 

Systems 


Identity  Mngt 
Systems 


Enterprise 
Sys  Apps 


Cloud 

Computing 


>» 
a> 
o 

to 

i_  CL 

o  O 
£  6 


/Vignette\ 

for 

Domain/  , 
VTech  Gpy^ 


Common  Vignette  for  Technology  Group 
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|  cjommon  Vignette  for  Technofogy  Group 
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Tech  Gp 


Common  Weakness  Risk  Assessment  Framework  uses  Vignettes  with  Archetypes  to  identify  top  CWEs  in  respective  Domain/Technology  Groups 


CWRAF:  Common  Weakness  Risk  Analysis  Framework 


Domains 


Technology 

Groups 


Vignettes 


Control  Systems 


Web  Applications 


Embedded  Devices 


SCAOA 

HMf 


Smart  Grid 
House  Motor 


Chemical 

Energy 

E-Voting 

Business  Value  Context 


Financial  loss, 
privacy  violation 


10  ■  Code  execution 
6  ■  Read  Sensitive  Data 
3  -  DoS:  Unpredictable 
1  Execution _ r 

Technical  impact  Scorecard 


Customizing  CWRAF  to  a  Single  In-house  Software  Package 


Web  Applications 


Product 
Search  i 
Browse 


Admin 

Console 


Shopping 

Cart 


Domains 


&2B 

Communication 

Admin  and 
Maintenance 

Pubtic 

E-Commerce 

Site 

Technology 

Groups 


Mobile  Apps 


Vignettes 1  payment 


mass  Value  Context 


Financial  loss1 
privacy  violation 


10  -  Code  execution 
6  -  Read  Sensitive  Data 
3  -  DoS:  Unpredictable 
Execution 


Technics f  Impact  Scorecard 


Relationships  between  CWRAF,  CWSS,  and  CWE 


Provides  Vignettes 
(technical  & 
business  context) 
to  specify  relevant, 
applicable  CWE 


Influences 
Scoring 
Using  Business 
Value  and 
Technical 
Context 


uWEs 

(by  ID) 


Influences 
Scoring  Using 
Technical 
impacts 


CWE  79  CWE  22 

CWE  1 20  CWE  89 

CWE  78  CWE  311 
CWE  285 

CWE  352  CWE  807 
CWE  434 


Applies 
Scoring  Criteria 
to  Rank 
Relevant 
Weaknesses 


Note:  CWSS  can  be  used  in  the  context  of  CWRAF; 
but  it  is  not  a  requirement, 


Provides 
results  in 
prioritized 
lists 
of  relevant 
CWE  IDs  for 
specific 
Vignettes 


artin@mitre.org 


f. 


Questions? 


